Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-6968

Inbound email supports STARTTLS by default - however this requires Java + SSL configuration to be done to work

    Details

    • Type: Service Pack Request
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.2 R
    • Fix Version/s: 4.0
    • Component/s: Repository
    • Labels:
      None
    • ACT Numbers:

      17170

      Description

      Inbound email supports STARTTLS by default - however this requires Java + SSL configuration to be done to work.

      Basically when you connect to the inbound subethamail ESMTP service it reports it supports STARTTLS:

      [root@ts1 ~]# telnet 0 2525
      Trying 0.0.0.0...
      Connected to 0 (0.0.0.0).
      Escape character is '^]'.
      220 ts.alfresco.com ESMTP SubEthaSMTP
      EHLO foo
      250-ts.alfresco.com
      250-8BITMIME
      250-STARTTLS
      250 Ok

      However if the user has not configured Java + SSL in his JVM as described here: http://stilius.net/java/java_ssl.php

      STARTTLS negotiation will fail. The java logs show:

      12:23:09,349 DEBUG [org.subethamail.smtp.server.ConnectionHandler] SMTP connection count: 1
      12:23:09,351 DEBUG [org.subethamail.smtp.server.ConnectionHandler] Server: 220 ts.alfresco.com ESMTP SubEthaSMTP
      12:23:09,486 DEBUG [org.subethamail.smtp.server.ConnectionHandler] Client: EHLO mx-out-manc3.simplymailsolutions.com
      12:23:09,487 DEBUG [org.subethamail.smtp.server.ConnectionHandler] Server: 250-ts.alfresco.com
      250-8BITMIME
      250-STARTTLS
      250 Ok
      12:23:09,504 DEBUG [org.subethamail.smtp.server.ConnectionHandler] Client: STARTTLS
      12:23:09,504 DEBUG [org.subethamail.smtp.server.ConnectionHandler] Server: 220 Ready to start TLS
      12:23:10,075 WARN [org.subethamail.smtp.command.StartTLSCommand] startTLS() failed: no cipher suites in common
      javax.net.ssl.SSLHandshakeException: no cipher suites in common
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177)
      at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
      at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:425)
      at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:139)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
      at org.subethamail.smtp.command.StartTLSCommand.execute(StartTLSCommand.java:57)
      at org.subethamail.smtp.server.CommandHandler.handleCommand(CommandHandler.java:58)
      at org.subethamail.smtp.server.ConnectionHandler.run(ConnectionHandler.java:113)
      12:23:10,076 DEBUG [org.subethamail.smtp.server.ConnectionHandler] Server: 450 Problem attempting to execute commands. Please try again later.
      12:23:10,076 DEBUG [org.subethamail.smtp.server.ConnectionHandler] java.net.SocketException: Socket closed

      I have logged DOC-137 to include the SSL config as a doc note or whatever. I've also updated the wiki here: http://wiki.alfresco.com/wiki/Inbound_Email_Server_Configuration#StartTLS_Support

      I've raised this ticket as a behavioural change suggestion. I figure STARTTLS should be disabled by default, and users should have the option to turn it on in a properties file if they so require it. This would avoid the extra configuration. STARTTLS is not mandatory and most mail servers will happily send email with clear text.

      Also - if possible - regardless of what the user sets - the SMTP service should not report STARTTLS if it knows SSL has not been configured.

      Let me know if this doesn't make sense.

        Issue Links

          Activity

          No work has yet been logged on this issue.

            People

            • Assignee:
              closedbugs Closed Bugs
              Reporter:
              sashcraft Scott Ashcraft
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: